Advisory October 13, 2023

Critical Atlassian Confluence Vulnerability

The Obrela Threat Intelligence Team

Summary:

Recently, a critical privilege escalation vulnerability was found in Atlassian Confluence Data Center and Server. The vulnerability can be tracked with CVE-2023-22515 and its CVSS score is Critical (10/10). Any device with a network connection to a vulnerable application can exploit CVE-2023-22515 to create a Confluence administrator account within the application. Τhe vulnerability has been observed since September 14, 2023.

 

Description:

Atlassian customers have brought into Atlassian’s attention that external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances.

The vulnerability is a critical severity privilege escalation vulnerability in Confluence Server and Data Center products (CVE-2023-22515). It allows an external attacker to exploit the system by sending a crafted HTTP request on vulnerable endpoints,  and create administrator accounts with password known to the attacker that can be used to access Confluence instances. Further infection can be carried out after this. No user interaction is required, which escalates the risks and the vulnerability could potentially be exploited remotely, a characteristic usually associated with an authentication bypass or RCE chain rather than a standalone privilege escalation flaw.

Atlassian has confirmed that only a limited set of customers have been attacked by this vulnerability.

Microsoft has linked the exploitation of the critical flaw to a nation-state actor it tracks as Storm-0062 (aka DarkShadow or Oro0lxy).

Storm-0062 is a state hacking group linked to China’s Ministry of State Security and known for targeting software, engineering, medical research, government, defense, and tech firms in the U.S., U.K., Australia, and various European countries to collect intelligence.

The United States charged the Chinese hackers in July 2020 for stealing terabytes of data by hacking government organizations and companies worldwide.

Affected versions:

The vulnerability affects all versions of Confluence Server and Data Center from 8.0.0 to 8.5.2. Atlassian Cloud sites are not affected by this vulnerability. If the Confluence site is accessed via an atlassian.net domain, it is hosted by Atlassian and is not vulnerable to this issue.

 

Defensive Measures:

It is important for companies to follow the necessary mitigation measures.

  1. Apply the patches released for the vulnerability.
  2. Upgrade to the latest Long Term Support release or upgrade the Confluence instance to one of the fixed versions as soon as possible. The fixed versions are 8.3.3 or later, 8.4.3 or later, and 8.5.2 or later. These versions can be downloaded from the download center.

If it is not possible to upgrade Confluence, the following mitigation steps can be followed to reduce the risk of exploitation. These steps are:

  1. Restrict external network access to the affected instance. That was only authorized users within the network can access Confluence.
  2. Block access to the /setup/* endpoints on Confluence instances. This prevents any Confluence administrators from triggering Confluence setup actions, which could be exploited by attackers.
  3. Engage the security team and check for indicators of compromise. This involves looking for suspicious activities or accounts on the Confluence instance, such as unauthorized administrator accounts, unexpected changes, or unusual network traffic.

 

References:

https://thehackernews.com/2023/10/microsoft-warns-of-nation-state-hackers.html

https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html

https://nvd.nist.gov/vuln/detail/CVE-2023-22515

https://www.cve.org/CVERecord?id=CVE-2023-22515

https://socprime.com/blog/cve-2023-22515-detection-a-critical-zero-day-in-confluence-data-center-server-under-active-exploitation/